From: Tim Yamin Fix outstanding security bugs in the Linux zlib implementations. See: a) http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html b) http://bugs.gentoo.org/show_bug.cgi?id=94584 Signed-off-by: Tim Yamin Signed-off-by: Tavis Ormandy Signed-off-by: Andrew Morton --- lib/inflate.c | 16 +++++++++------- lib/zlib_inflate/inftrees.c | 2 +- 2 files changed, 10 insertions(+), 8 deletions(-) diff -puN lib/inflate.c~fix-outstanding-gzip-zlib-security-issues lib/inflate.c --- devel/lib/inflate.c~fix-outstanding-gzip-zlib-security-issues 2005-07-26 00:05:48.000000000 -0700 +++ devel-akpm/lib/inflate.c 2005-07-26 00:05:48.000000000 -0700 @@ -326,7 +326,7 @@ DEBG("huft1 "); { *t = (struct huft *)NULL; *m = 0; - return 0; + return 2; } DEBG("huft2 "); @@ -374,6 +374,7 @@ DEBG("huft5 "); if ((j = *p++) != 0) v[x[j]++] = i; } while (++i < n); + n = x[g]; /* set n to length of v */ DEBG("h6 "); @@ -410,12 +411,13 @@ DEBG1("1 "); DEBG1("2 "); f -= a + 1; /* deduct codes from patterns left */ xp = c + k; - while (++j < z) /* try smaller tables up to z bits */ - { - if ((f <<= 1) <= *++xp) - break; /* enough codes to use up j bits */ - f -= *xp; /* else deduct codes from patterns */ - } + if (j < z) + while (++j < z) /* try smaller tables up to z bits */ + { + if ((f <<= 1) <= *++xp) + break; /* enough codes to use up j bits */ + f -= *xp; /* else deduct codes from patterns */ + } } DEBG1("3 "); z = 1 << j; /* table entries for j-bit table */ diff -puN lib/zlib_inflate/inftrees.c~fix-outstanding-gzip-zlib-security-issues lib/zlib_inflate/inftrees.c --- devel/lib/zlib_inflate/inftrees.c~fix-outstanding-gzip-zlib-security-issues 2005-07-26 00:05:48.000000000 -0700 +++ devel-akpm/lib/zlib_inflate/inftrees.c 2005-07-26 00:05:48.000000000 -0700 @@ -141,7 +141,7 @@ static int huft_build( { *t = NULL; *m = 0; - return Z_OK; + return Z_DATA_ERROR; } _